Let's create guidance for management and auditors concerned about DevOps.
See all
Members (776)
Gene Kim's profile photo
666c6176696f 73696c7661's profile photo
Aaron Lowe's profile photo
Aaron Weaver's profile photo
Andi Mann's profile photo
Andrew Beresford's profile photo
Andrew Storrs's profile photo
Andy Lole's profile photo
Anna Kennedy's profile photo
Andrew McKenzie's profile photo
Adrian Muraru's profile photo
Al Mon's profile photo
Alan Norton's profile photo
Aleksandar Ristic's profile photo
Anh Doan's profile photo
Amo Chumber's profile photo
Alex Lovell-Troy's profile photo
Alexander Leypold's profile photo
Andrew Waterman's profile photo
Aljo Klein's profile photo
Allen Hughes's profile photo
Andy Cheng's profile photo
Alon Becker's profile photo
Andy Rosequist's profile photo

Stream

Join this community to post or comment
 
Webinar coming up on Wed. Apr. 29th about implementing DevOps process change: http://bit.ly/1A6VCiv, 10 am PT/1pm ET. This will be a fireside chat between Andi Mann, VP in the Office of the CTO, CA Technologies and Bernard Golden, VP of Strategy, ActiveState, about organizational considerations for enterprises moving towards DevOps, so it may be of interest to this group. Audience Q&A throughout.
1
Add a comment...

Jim Bird

Discussion  - 
 
A blog post  I wrote on the DevOps Audit Defense Toolkit, and steps towards Compliance as Code
Infrastructure as Code is fundamental to DevOps. Automating the work of setting up and maintaining systems infrastructure. Making it defined, efficient, testable, auditable and standardized. For the many of us who work in regulated environments, we need more. We need Compliance as Code.
4
1
Paul Morgan (jumanjiman)'s profile photo
Add a comment...

Logentries

Discussion  - 
 
DevOps pros -- we're trying to find out more about approaches to debugging. Mind taking this short survey and letting us know your thoughts? We'll share the results across social media. Thanks!
 
trevp.me/devops-survey
1
Add a comment...

Gene Kim
owner

Discussion  - 
 
All -- +Jeff Gallimore +James D +Byron Miller and I have integrated all your comments up to CS1 and CS2.  We've also added CS3 to cover environments and infrastructure.  We're hoping to wrap up substantive updates to controls by Friday.

Please scrutinize CS3.  (All you puppet/chef/cfengine/docker/ansible fans will likely resonate with it.)

Thank you!

https://docs.google.com/a/itrevolution.net/document/d/1yGSBeKkqhavqk1I21f8UtJBWxDY_Q28nl3SEtcWNFPU/edit#
5
Gene Kim's profile photo
 
Okay, all our revisions are in, and all comments have been resolved.  +Jeff Gallimore would like to close the review process on Friday, Aug 8.  Please get your final comments in. 

Especially section CS3, which is new.
Add a comment...

Gene Kim
owner

Discussion  - 
1
daryl wiest's profile photo
 
That reminds me of some of the old-school hacks where you would compromise someone's complier to inject code into anything they built!  
http://c2.com/cgi/wiki?TheKenThompsonHack
Add a comment...

Megan Ericson

Discussion  - 
 
Through Growing Potential for Effective Enterprise Risk Management, the Requirement for Enterprise Governance, Risk & Compliance (GRC) Solutions Is on the Rise
Download Sample pDF of teh Report @ http://www.marketsandmarkets.com/pdfdownload.asp?id=1310
1
Add a comment...

Gene Kim
owner

Discussion  - 
 
It's here!  Early draft of the DevOps Audit Defense Toolkit is posted here -- we're 60% complete, I think, but we'd love comments and feedback.

https://docs.google.com/a/itrevolution.net/document/d/1yGSBeKkqhavqk1I21f8UtJBWxDY_Q28nl3SEtcWNFPU/edit#

+James D +Jeff Gallimore +Byron Miller 
8
1
Alex Wood's profile photo
Add a comment...

Stephen Ritchie

Discussion  - 
 
The video in this "AppSec in a DevOps World" post is well worth the 25 min investment. Lot's of great ideas supporting a DevOps Audit Defense Toolkit.
2
Add a comment...

James D

Discussion  - 
 
Are you listed as a public company?  
Are you being audited under attest standards (i.e., SOC or ISAE 3402)?  
Are you doing DevOps (initial, limited, full speed ahead)?  

Please comment below... I am working with Gene and the team here to begin solving this problem in our shared communities.
1
1
James D's profile photoRandy Tangco's profile photoGene Kim's profile photo
4 comments
 
+James D I am working with a colleague in the data center who manages the release management of products that runs in our boxes.  There are conversation with audit on this and based on what I have been provided, they get stuck on governance and discussion on this gets extended. 

Do you have a reference architecture for the deployment plan that I can read and hopefully use to build our own deployment plan? 
Add a comment...

James D

Discussion  - 
 
""Users who can self-approve eg. developers"; #RunAsFastAsPossible" .. remarks from the twitter-infosec sphere.. Checky but important to know concern exists.  I also am seeing serious organizations allowing common end-users to self-escalate their privileges, so there is a culture of proof for #DevOps in the #Audit & #infosec sphere.  

Are you seeing the same cultural shift?
1
Mike Kavis's profile photoGene Kim's profile photo
2 comments
 
We've got "developers must never deploy their own code" captured as a common auditor objection/finding.  Any other auditor objections y'all want to put on the list?  Thanks!
Add a comment...

About this community

Vision: Define the authoritative guidance of how management and auditors should conduct audits where DevOps practices are in place, in support of accurate financial reporting, regulatory (e.g., SEC SOX-404, HIPAA, FedRamp, EU Model Clauses and the proposed SEC Reg-SCI regulations) or contractual obligations (e.g., PCI DSS, DOD DISA), or effective and efficient operations. By doing this, the Defensive Audit Toolkit will elevate the state of the management practice, defining how to understand risks to business objectives, correctly scope and the substantiate of effectiveness of controls, which reduces the costs of audits and increases effectiveness of audits. (This community can be access by http://bit.ly/DevOpsAudit)
http://bit.ly/DevOpsAudit

daryl wiest

Discussion  - 
 
Just listened to the 'One Year of Phoenix Project' episode of the Ship Show Podcast with Gene Kim, it brought me here!   
2
Add a comment...

Sharon Solomon

Discussion  - 
 
Implementing security in the DevOps process..
While it brings extra productivity and functionality, Continuous Integration security is a huge challenge that requires the selection of the right solution.
1
Add a comment...

Gene Kim
owner

Discussion  - 
 
+James D and I presented at #Agile2014  this week on the DevOps Audit Defense Toolkit, in a presentation called "Keeping The Auditor Away: DevOps Audit Compliance Case Studies."

http://www.slideshare.net/realgenekim/keeping-the-auditor-away

PS:  Please get your comments to the Toolkit in by Fri Aug 8.  We'd like to close out the review process by then.  Thank you!
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors. In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control proce...
7
1
Elizabeth Lawler's profile photo
Add a comment...

Gene Kim
owner

Discussion  - 
 
Here's a blog post I wrote about scoping the IT portions of audits correctly.  It explains most of John's miraculous transformation in "The Phoenix Project", where he goes from a bottom-up control philosophy, to a top-down risk based philosophy.

One of the underpinning tools for this is GAIT and GAIT-R, which we developed as part of a task team at the Institute of Internal Auditors in response to SOX in 2005. I had the privilege of working with +Norman Marks and Ed Hill on codifying how to correctly scope the IT portions of SOX audits.

The DevOps Audit Defense Toolkit deals not so much with scoping, but with designing and demonstrating the effectiveness of controls.  But between "scoping" and "substantiation", we've covered most of the skills required to plan and execute effective audits

http://itrevolution.com/audit-101-for-devops-resource-guide-for-the-phoenix-project-part-3-correctly-scoping-it-using-gait-and-gait-r/
Bad things happen to organizations when we scope incorrectly the IT portions of an audit, especially for DevOps, as illustrated in "The Phoenix Project."
6
Add a comment...

Gene Kim
owner

Discussion  - 
 
More impressive work from +James Wickett on integrating infosec into continuous delivery and #devops  work patterns.  It talks about the mismatch of DevOps and infosec, and how to bridge them with engineering practices and technologies.

 http://www.slideshare.net/wickett/attacking-pipelinessecurity-meets-continuous-delivery
Talk given at ISC2 Secure SDLC event in Austin, TX The release velocity for our applications is increasing, often leaving security testing behind. In some cases, the security team ends up being the bottleneck. That's bad. In an idyllic world, security testing would happen earlier in the development lifecycle, but lets do one better. Lets do security testing on every code change. Using automation tooling and DevOps practices, this talk will help y...
3
1
James Kwong's profile photo
Add a comment...

Gene Kim
owner

Discussion  - 
 
All, ,thank you for all the comments on the early draft!  As you might have seen, we've been responding to the comments, integrating new text into the draft.

Due to various other commitments, we've taken a 2 week hiatus.  We'll resume work on it next week.

PS: George Hulme wrote a great article on the toolkit here: http://devops.com/features/devops-getting-past-audit/
When subject to an audit DevOps process can be challenging for auditors to understand, it is important that process that track everything are used.
2
Add a comment...

Jeff Gallimore

Discussion  - 
 
Some good thoughts in here about compensating controls in a DevOps environment. Other ideas not addressed in the article would be code reviews and automated testing (of all forms).
2
Add a comment...

Gene Kim
owner

Discussion  - 
 
All -- +Jeff Gallimore +Byron Miller +James D and I have all been working on the document. Expect reviewable document on May 14th. I'm so excited about the work we've done.  The team is working, and the work is good.  :)

Stay tuned.
6
Gene Kim's profile photo
3 comments
 
+Chris Price Yes, please feel free to share with your auditors -- we'd love to hear what they think, and if they have any concerns or objections that we should have put into the doc.  Thanks!  --Gene
Add a comment...

James D

Discussion  - 
 
This article highlights that in continuous develop/deploy environments there are systems, such as Jenkins, to integrate with other systems (hosted and local).

Challenge: To provide some level of assurance, an auditor would need to define these connections and specify a level of trust.

Request: Are teams considering sandboxing their DevOp activities to linkable (and able to document/whiteboard ondemand) systems, or are teams simply not leveraging such abstracted systems?

Curious on ideas on this premise, the reality, and any activities.
3
Kevin Gilpin's profile photo
 
Here's another post (mine) about using Jenkins in a critical develop/deploy environment. We apply comprehensive access control, and capture a detailed audit of Jenkins interactions with end-users and with system credentials.

http://www.conjur.net/blog/2014/03/06/conjur-jenkins.html
Add a comment...

Mike Kavis

Discussion  - 
 
Been through 2 SOC2 and 1 HIPAA audit on 100% AWS implementations (2 different companies). Interested to particpate in discussions here.
4
Chris Hoey's profile photoMike Kavis's profile photo
4 comments
 
I have not used it yet
Add a comment...